Destructive malware - a closer look at an SMB worm tool

On December 19 US-CERT released an alert, TA14-353A, relating to seven tools used to target a major entertainment company.

Some, such as the “Network Propagation Wiper” have been well described before. Less well known, however, is the SMB Worm Tool which US-CERT describes as follows:

“SMB Worm Tool: This worm uses a brute force authentication attack to propagate via Windows SMB shares. It connects home every five minutes to send log data back to command and control (C2) infrastructure if it has successfully spread to other Windows hosts via SMB port 445. The tool also accepts new scan tasking when it connects to C2. There are two main threads: the first thread calls home and sends back logs (a list of successful SMB exploitations), and the second thread attempts to guess passwords for SMB connections. If the password is correctly guessed, a file share is established and file is copied and run on the newly-infected host.”

Meet SVCH0ST.EXE

The US-CERT alert doesn’t contain file hashes (only import hashes) which makes directly identifying particular samples more difficult. However, there is a file that closely matches the signature for the SMB Worm Tool:

Original Filename: SVCH0ST.EXE

MD5: 61bf45be644e03bebd4fbf33c1c14be2

Compilation Timestamp: 2014-10-16 05:00:56

Uploaded to VirusTotal: 2014-12-19 20:19:38 (from the US)

Mutex: Global\FwtSqmSession106829323_S-1-5-19

Resources: Korean

This sample (SVCH0ST.EXE) matches the fairly unique mutex of the US-CERT sample. It also matches another string (“EVERYONE”) and contains a somewhat similar “leet speak” string:

Auditing multiple failed SMB connections is a good practice which will alert in this case;

We see a number of threat actors employing remotely scheduled tasks in order to move laterally across networks. Typically this is done by attackers on the command prompt the “at” command, however as seen here malware can use the trick too; and,

The original SANS article on SMB Worms suggests disabling the task scheduling service as an option to limit the capabilities of worms to spread, however doing so can prevent required Windows Updates. Remote task scheduling can be limited through firewall settings, where appropriate.

Why You Shouldn’t Disable The Task Scheduler Service in Windows 7 and Windows 8, http://blogs.technet.com/b/askpfeplat/archive/2013/07/15/why-you-shouldn-t-disable-the-task-scheduler-service-in-windows-7-and-windows-8.aspx

For more in-depth coverage, including full details of the analysis behind this blog as well as additional indicators which can be used to detect similar samples, or if you have any other queries, please give us a shout at [email protected]